- Training
- Training Live Events
- Training Without Travel
- SANS Courses
- Certified Instructors
- Career Roadmap
- Training Calendars
- SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- SANS Onsite
- SANS SelfStudy
- SANS Partnership Series
- SANS Workshop Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
the most trusted source for computer security training, certification and research
Mass-Mailing Worms: Prevention, Detection and Response (A Case Study)
- Abstract
- Preventing mass-mailing worms from infecting the PCs in your network is obviously the cornerstone of any reasonable defense against them, but early detection and prompt isolation and recovery of any infections which do occur should be your second line of defense. In this paper I describe the approaches to mass-mailing worm prevention, detection, and incident response that I have developed and used on a large university network. The prevention strategy has encompassed user education and awareness, desktop anti-virus policy, and minimally invasive server-based filtering of incoming email, while the approach to worm detection is based on detecting traffic patterns of worm behavior on the network itself, using readily available open source tools, including the argus real time flow monitor and the Perl scripting language. In this paper I present results which demonstrate the efficacy of our strategies for prevention, behavior-based (as opposed to signature-based) detection, and recovery, and I discuss future directions based on lessons learned to date.